[unisog] New virus - not caught by central servers (fwd)

Scott M. Dier sdier at cs.umn.edu
Mon Jul 26 20:22:39 GMT 2004


Clamav updated recently too.  At 16:32 UTC.

http://article.gmane.org/gmane.comp.security.virus.clamav.virusdb/454

On Mon, 2004-07-26 at 14:49, Bob Kehr wrote:
> Symantec and Trend Micro already have defs out for this virus. Not sure 
> about Counterpane, McAfee, etc.
> 
> -Bob Kehr
> Univ California, Davis
> 
> Brian Haskell wrote:
> >>From the U Minnesota computer gurus:
> > 
> > ---------- Forwarded message ----------
> > Date: Mon, 26 Jul 2004 11:22:31 -0500 (CDT)
> > Subject: New virus - not caught by central servers
> > 
> > 
> > Hey all,
> > 
> > There's a new virus out, which isn't yet caught by the central servers.
> > Please don't open any attachments you're not expecting! More details
> > below.
> > 
> > ---------- Forwarded message ----------
> > Date: Mon, 26 Jul 2004 11:14:21 -0500
> > From: Brian Eckman <eckman at umn.edu>
> > Reply-To: "umn-antivirus: Forum for exchanging information about fighting
> >                computer viruses" <UMN-ANTIVIRUS at LISTS.UMN.EDU>
> > To: UMN-ANTIVIRUS at LISTS.UMN.EDU
> > Subject: [Fwd: Counterpane Internet Security; Virus Alert; MyDoom.M;
> >           CIS20040726-1]
> > 
> > We are starting to see this on campus. AFAIK, the central servers cannot
> > detect this as virus signatures don't seem to have been released yet....
> > 
> > 
> > Brian
> > 
> > COUNTERPANE REFERENCE   CIS20040726-1
> > 
> > 
> > TITLE                           MyDoom.M
> > 
> > 
> > DATE DISCOVERED         July 13, 2004
> > 
> > 
> > VULNERABILITY/EVENT SUMMARY
> > 
> > Counterpane has received information pertaining to a Windows-based
> > variant of the MyDoom worm, known as MyDoom.M, that spreads via email
> > using SMTP.  The variant harvests recipient email addresses from the
> > infected system and also fake's the sender address using the same
> > harvested list.  This worm is being called 'MyDoom.o' by McAfee.
> > 
> > 
> > THREAT CLASSIFICATION
> > 
> > Virus/Worm
> > 
> > 
> > ANALYSIS
> > 
> > The MyDoom variant is currently being sent through the mail systems
> > utilizing the following Subject lines:
> > 
> >          The original message was included as attachment The/Your
> > m/Message could not be delivered
> >          hello
> >          hi error
> >          status
> >          test
> >          report
> >          delivery failed
> >          Message could not be delivered
> >          Mail System Error - Returned Mail
> >          Delivery reports about your e-mail
> >          Returned mail: see transcript for details
> >          Returned mail: Data format error
> > 
> > The variant also contains an attachment that comes in the form of a
> > .zip, .com, .scr, .exe, .pif, or .bat file.  The filename is
> > delivered as a variation of the destination domain.  (i.e. an
> > attachment being sent to help at yourdomain.org could appear as
> > help at yourdomain.zip, yourdomain.exe or some other variation of this
> > naming scheme)
> > 
> > Review the links provided below for updated information as additional
> > details become available.
> > 
> > 
> > POSSIBLE MITIGATION
> > 
> > Ensure that all systems are deploying updated virus protection
> > software.
> > 
> > 
> > REFERENCE INFORMATION/VENDOR/CVE/BUGTRAQ
> > 
> > http://vil.nai.com/vil/content/v_127033.htm
> > http://www.f-secure.com/v-descs/mydoom_m.shtml
> > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_M
> > YDOOM.M
> > 
> > 
> > COUNTERPANE RESPONSE
> > 
> > Counterpane is continuing to monitor this situation.  Counterpane has
> > seen minimal impact across the customer base at the time of
> > publication.  For customer's using Counterpane's Firewall/IDS Device
> > Management, or Active Response, configurations have been verified or
> > updated based on business guidelines that are in place.
> > 
> > Counterpane Internet Security is happy to answer any questions you
> > may have regarding this report, and we thank you for your continued
> > support.
> > 
> > Counterpane Customer Service: 1-888-710-8171
> > 
> > 
> > LEGAL NOTICES
> > 
> > Copyright (c) 2004 Counterpane Internet Security
> > 
> > Permission is granted for the redistribution of this alert
> > electronically. It may not be edited in any way without the express
> > written consent of Counterpane. If you wish to reprint the whole or
> > any part of this alert in any other medium other than electronically,
> > please email customerservice at counterpane.com for permission.
> > 
> > Disclaimer: The information contained within this Security Alert is
> > provided for informational purposes and without warranty. Counterpane
> > recommends consulting your security policy when responding to this or
> > any security-related event. Counterpane also recommends testing any
> > vendor-recommended countermeasures prior to their deployment in a
> > production environment. The information in the advisory is believed
> > to be accurate at the time of publishing based on currently available
> > information. Use of the information constitutes acceptance for use in
> > an AS IS condition.  There are no warranties with regard to this
> > information. Neither the author nor the publisher accepts any
> > liability for any direct, indirect, or consequential loss or damage
> > arising from use of, or reliance on, this information.
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.1
> > 
> > iQA/AwUBQQUtDy1c2J4oiDLuEQI1hgCgrYqueKXBOtKwSYX6Ci1brnFOgJsAoMxs
> > KD5bgM9Lv9UB+NArVq1YSLB+
> > =P6Gd
> > -----END PGP SIGNATURE-----
> > 
> > 
> > --
> > Brian Eckman
> > Security Analyst
> > OIT Security and Assurance
> > University of Minnesota
> > 
> > "There are 10 types of people in this world. Those who
> > understand binary and those who don't."
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> > 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> !DSPAM:410560d186052629810108!
-- 
Scott Dier <sdier at cs.umn.edu>
CS/IT Systems Staff




More information about the unisog mailing list